I'm hoping to get some advice on protecting a few websites hosted from a colocation rack. There is no schedule or deadline for it, so I'd like to take the time to design a robust setup before making heavy use of the servers. I have a vague idea of what it is that I'm looking for, but I don't know enough about complicated protocols like OSPF, BGP, and STP to reason whether or not they're necessary and/or where to place them.

I can get 6U of space for a good price, and I already have two light-duty 1U boxes with a lot of NICs and two beefier 2U boxes. The 1U boxes I'm thinking of turning into a redundant firewall with relayd load balancing (RNWT) to the two boxes behind it. The two 2U boxes are acting as redundant web applications server (RWAS). This diagram shows what it might look like

For RNETs:
- if0 - Dedicated IPMI port, not visible to the device's OS
- if1 - ISP connection. Dedicated Public IP for management and a shared public VIP used by relayd through if2 CARP...
- if2 - CARP for both RNET1 and RNET2
- if3 - "IPMI-IN" RNET1's if3 is connected to RNET2's if0, RNET2's if0 is connected to RNET1's if3. Makes it possible to reach an offline RNET from an online RNET. These should probably only be accessible to someone connecting through a VPN or SSH tunnel. Private IP.
- if4 - Connected to RWAS1's if2 or RWAS2's if1. Load balances using relayd to RWASs, SSL acceleration, also forwards SSH connections.
- if5 - Connected to RWAS2's if2 or RWAS1's if1. Load balances using relayd to RWASs, SSL acceleration, also forwards SSH connections.
- if6 - Connected to RWAS1's if0 or RWAS2's if0. Only to be used for Wake-On-LAN. Private IP.

For RWASs:
- if0 - Management port for the RWAS servers. Will have Wake-On-LAN enabled. These should probably only be accessible to someone connecting through a VPN or directly from the RNETs. Private IP.
- if1 - Connected to RNET1 and RNET2. Allows both RWAS1 and RWAS2 to communicate through either RNET1 or RNET2, even when one of the RNETs is offline. Gets HTTP and SSH connections. Public IP.
- if2 - Connected to RNET1 and RNET2. Allows both RWAS1 and RWAS2 to communicate through either RNET1 or RNET2, even when one of the RNETs is offline. Gets HTTP and SSH connections. Public IP.

IPs / Routing
The RWAS if1 and if2 interfaces will have their own public IP addresses.

Questions:

1. Does this make sense?
2. Will OSPF, STP, and BGP be needed to implement?

As the servers become available to me, I'll update the thread with any new developments.

I don't believe, based on what you've posted, that you'll require use of either of the routing management protocols, nor should you require the bridge loop management protocol. The clients will reach this farm via its single outward facing carp(4) address. Your relayd(8) load balancer will manage the traffic to the back ends at Layer 3 and/or Layer 7, and carp(4) will manage back end redundant links as well.

I've set up a similar infrastructure with relayd, where the web servers were on separate platforms from the application servers and the database servers. I used relayd to manage all of the traffic between the web (nginx) and application (php-fhm) servers. However, all of that was in a lab environment; the infrastructure was never launched in production.